Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0)
Interactive Detect Mode
Download this chapter
Interactive Detect ModeInteractive Detect Mode
Download the complete book
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) Book-Length PDFCisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Interactive Recommendations Mode

Overview

Activating the Interactive Recommendations Mode

Viewing Recommendations

Activating Recommendations


Interactive Recommendations Mode

The Detector module analyses diverted zone traffic in search of policy threshold violations. Once it detects a policy threshold violation, it analyses the results and creates a set of filters that can either be activated automatically or interactively. This chapter describes the interactive recommendations mode and includes the following major sections:

Overview

Activating the Interactive Recommendations Mode

Viewing Recommendations

Activating Recommendations

Overview

When a DDoS attack begins, the Detector module policies create Dynamic filters. When the zone is in interactive recommendations mode, the Guard does not activate these Dynamic filters automatically, but waits for your decision. These filters are called pending filters. The recommendations are a summary of the pending filters according to the policies that produced them. The information includes the policy name that recommended it, data on the traffic anomaly that resulted in policy activation, the number of pending filters and the recommended action. You decide which pending filters to accept, ignore, or direct to automatic activation, thus giving you greater control over what measures to take when an attack is in progress.

The Guard continues to produce pending filters to protect the zone as long as it is in interactive recommendations mode. You can activate interactive recommendations mode at any time during zone protection, but can only view recommendations and their pending filters if the Guard is in interactive recommendations mode and a DDoS attack on the zone is in progress. You can apply the interactive recommendations to a zone when defining the zone, or before or after initiating zone protection.

When the The Detector module has more than 1000 pending filters it performs the following:

It displays an error message instructing you to deactivate the zone and reactivate it in automatic mode.

It records the recommendations in the zone's log-file and report and are then discards them.

To keep track of recommendations, do one of the following:

Use the show command at the zone prompt to view the status of the zone.

Use the event monitor command to receive notification when a new pending filter is created.

Use an external syslog server to receive notification of new pending filters.

You can stop interactive operation at any time and return to automatic operation. The Detector module disregards any decisions made while in the interactive mode and accepts all currently pending filters. The policies resume their role of automatically producing and activating their filters (see "Configuring Policy Templates and Policies").

Activating the Interactive Recommendations Mode

To activate the interactive recommendations mode for an existing zone, enter interactive at the zone prompt.

To create a new zone with interactive recommendations mode, enter the following at the Configuration prompt:

zone new-zone-name interactive

The argument new-zone-name specifies the name of the new zone. A zone name is an alphanumeric string that must start with a letter, cannot include any spaces and can have no more than 63 characters.

For example:

admin@DETECTOR-conf# zone scannew interactive

The new zone is created with a default zone template configured for interactive recommendations mode. See for further details.

Use the no interactive command to deactivate the interactive recommendations mode. When you deactivate the interactive mode, the interactive status of the policies becomes always-accept.

Viewing Recommendations

Use the show recommendations command to view a list of all recommendations, a list of pending filters or a specific recommendation for a zone. The syntax for this command is as follows:

show recommendations [recommendation-id] [pending-filters]

Table 8-1 provides the keywords and arguments for the show recommendations command.

Table 8-1 Keywords and Arguments for the show recommendations Command 

Parameter
Description
recommendation-id

(Optional) The ID for a specific recommendation.

pending-filters

(Optional) Displays a list of the pending filters for a specific recommendation.


For example: 

admin@DETECTOR-conf-zone-scannet# show recommendations

Table 8-2

Table 8-2 Field Descriptions for the show recommendations Command 

Field
Description

ID

The recommendation identification number.

Policy

The policy that created the recommendation.

Threshold

The policy threshold that was violated.

Detection date

The date and time the recommendation was created.

Attack flow

The characteristics of the attack flow. The characteristics include the protocol number, source IP, source port, destination IP, destination port and indicates whether the traffic is fragmented or not. Any indicates that there is both fragmented and non-fragmented traffic.

Min current rate

Minimum attack rate measured in packets per second (pps).

For recommendations that have several pending filters, the rate of the lowest pending filter is displayed.

Max current rate

Maximum attack rate measured in packets per second (pps).

For recommendations that have several pending filters, the rate of the highest pending filter is displayed.

No. of pending-filters

The number of pending filters created as a result of policy threshold violations.

Recommended action

The recommended action. This action is taken if you accept the recommendation.


describes the fields in the show recommendations command output.

Use the show recommendations command to display a list of all recommendations with recommendation IDs before displaying pending filters for a specific recommendation.

Table 8-3 describes the fields in the show recommendations pending-filters command output.

Table 8-3 Field Descriptions for the show recommendations pending-filters Command 

Field
Description

ID

The recommendation identification number.

Policy

The policy that created the recommendation.

Threshold

The policy threshold, in packets per second (pps), that was violated.

Pending-filter-id

The pending-filter identification number.

Detection date

The date and time the recommendation was created.

Attack flow

The flow characteristics of the attack. The characteristics include the protocol number, source IP, source port, destination IP, destination port and indicates whether the traffic is fragmented or not. Any indicates that there is both fragmented and non-fragmented traffic.

Triggering rate

The attack rate (in pps) that triggered the pending filter.

Current rate

The current attack rate in pps.

Recommended action

The recommended action. This action is taken if you accept the recommendation.

Action flow

The resulting characteristics of traffic flow to the zone if you accept the pending filter. The characteristics include the protocol number, source IP, source port, destination IP, destination port and indicates whether the traffic is fragmented or not. Any indicates that there is both fragmented and non-fragmented traffic.


A value of * for any of the parameters indicates one of the following:

The value is undetermined.

More than one value was measured for the parameter.

Note You can only view recommendations and their pending filters if the Guard is in interactive recommendations mode and a DDoS attack on the zone is in progress.

For example:

admin@DETECTOR-conf-zone-scannet# show recommendations 135 pending-filters

Activating Recommendations

You can decide whether or not to activate recommendations. You can make decisions for all recommendations, a specific recommendation, or for a specific pending filter. Your decisions determine whether the pending filters in a policy become dynamic filters and for how long.

You can instruct the Detector module to automatically activate the pending filters of a specific policy. You can also instruct the Detector module to prevent policies from producing recommendations. The Detector module's policies continue to produce recommendations as the DDoS attack continues and changes its characteristics.

View the zone status after making decisions to verify your decisions.

The policy takes the following actions:

notify—The policy records the violation in the Detector's syslog.

remote-activate—The Detector activates one or more Guards to start protecting the zone.

Note When you accept a recommendation, additional recommendations that contain the same or partial flow as the accepted recommendation and have the same action and timeout are deleted.

Use the recommendation command at the zone prompt to decide on recommendations for a zone. The syntax for the command is as follows:

recommendation recommendation-id [pending-filters pending-filter-id] decision [timeout]

Table 8-4 provides the arguments and keywords for the recommendation command.

Table 8-4 Arguments and Keywords for the recommendation Command 

Parameters
Description

recommendation-id

The specific recommendation identification number. An asterisk (*) is a wildcard indicating all recommendations.

pending-filter-id

(Optional) The ID for a specific pending filter.

decision

The action taken on the recommendation. Possible values are:

accept—Accepts the specific recommendation. The pending filters become dynamic filters.

always-accept—Accepts the specific recommendation. The decision applies automatically whenever the recommendation policy produces new recommendations. Pending filters automatically become Dynamic filters.

If you take this action, the Detector will no longer display such recommendations.

always-ignore—Ignores the specific recommendation. No dynamic filter or pending filters are produced. The decision automatically applies to all future recommendations produced by the policy.

If you decide to always ignore a recommendation, the Detector no longer display it.

timeout

(Optional) The length of time that the decision applies. Possible value are:

forever—The Detector activates the dynamic filters (see the "Configuring Dynamic Filters" section for further details) produced by the recommendations for as long as detection is in effect.

new-timeout—The Guard activates the dynamic filters (see "Configuring Dynamic Filters" section for further details) produced by the policies for period of time that you define. This time is measured in seconds.


You can configure the interactive status for a specific policy, or any part of it, and decide whether that part of the policy should produce recommendations and pending filters. See "Configuring the Interactive Status" section for further details. This gives you greater control and enables you to improve how policies adapt to traffic flows.

The Guard does not display always-accept or always-ignore recommendations. When you decide to always ignore or accept a recommendation, your decision becomes part of the interactive-status of the policy that created the recommendation.

You can disable or inactivate a policy in order to prevent it from producing recommendations and their pending filters. Use the state command to disable or inactivate a policy. See the "Changing the Policy State" section for further details.

This example configures the interactive status for dns_tcp policy templates with service 53, using the analysis protection module: 

admin@DETECTOR-conf-zone-scannet-policy-/dns_tcp/53/analysis/# 
interactive-status always-accept

See "The Policy Sections" section for further details.